← Back to CVEs

CVE-2025-6213

HIGH

7.2

Description

The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVE Details

CVSS v3.1 Score7.2

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredHIGH

User InteractionNONE

Published7/22/2025

Last Modified8/1/2025

Sourcenvd

Honeypot Sightings0

Weaknesses (CWE)

CWE-94

References

https://github.com/psaux-it/nginx-fastcgi-cache-purge-and-preload(security@wordfence.com)

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332176%40fastcgi-cache-purge-and-preload-nginx&new=3332176%40fastcgi-cache-purge-and-preload-nginx&sfp_email=&sfph_mail=#file15(security@wordfence.com)

https://wordpress.org/plugins/fastcgi-cache-purge-and-preload-nginx/(security@wordfence.com)

https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe8c101-5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve(security@wordfence.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.